US military secrets leaked to Chinese hackers for three years

A US military contractor was allegedly hacked by those associated with the Chinese military. The company reportedly ignored signs of security breaches, allowing hackers to access military technology and classified documents for three years.

QinetiQ North America was attacked by a Shanghai-based hacker
group from 2007 to 2010, Bloomberg reported on Thursday. The
hacking collective has been coined the “Comment Crew” by security
experts.

The company is known for its contributions to national security –
including software used by US forces in Afghanistan and the Middle
East.

Comment Crew’s continuous spying reportedly provided China with a
wealth of secret information on QinetiQ’s drones, satellites,
military robotics, and the US Army’s combat helicopter fleet. The
spies also stole several terabytes – equivalent to hundreds of
millions of pages – of documents and data on weapons programs.

China’s military may have also stolen programming code and design
details that it could use to disable some of the most sophisticated
US weaponry. The situation could have a crippling effect on
America’s defense capabilities.

“God forbid we get into a conflict with China but if we did we
could face a major embarrassment, where we try out all these
sophisticated weapons systems and they don’t work,” said
Richard Clarke, former special adviser to President George W. Bush
on cyber security.

But the hacking could have been easily prevented, if QinetiQ would
have picked up on one of the many warnings it received along the
way.

Failing to connect the dots

QinetiQ ignored the first sign of spying in 2007, when an agent
from the Naval Criminal Investigative Service notified the company
that two people were apparently losing classified information on
their laptops.

QinetiQ failed to act with caution, according to Brian Dykstra, a
forensics expert hired to conduct the investigation into the lost
data.

“They just felt like it was this limited little thing, like
they’d picked up some virus,” he said.

Dykstra was given only four days to complete the investigation. He
said the company didn’t give him the time or data necessary to
determine whether more employees had been successfully targeted. In
his report, Dykstra warned that QinetiQ is “likely not seeing
the full extent” of the intrusion.

His assumptions were soon proved correct. In 2008, NASA alerted the
company that hackers had tried to enter its system from one of
QinetiQ’s computers.

But QinetiQ still failed to connect the dots, treating each series
of attacks over the next several months as unrelated incidents. The
company’s ignorance was welcomed by Comment Crew, who continued to
raid servers and gather more than 13,000 internal passwords in the
first 2 ½ years.

An easy hack?

In 2010, the hackers logged onto QinetiQ’s system with
incredible ease – through the company’s remote access system, just
like an ordinary employee.

The hack was made easy because of QinetiQ’s failure to use a
two-factor authentication, allowing Comment Crew to use the stolen
password of a network administrator. But it gets even worse – the
company had discovered its own vulnerability months before, but
failed to fix it the problem.

Over the course of four days, the hackers attacked at least 14
servers, eventually hitting the jackpot when they discovered an
inventory of weapons-systems technology and source code throughout
the company.

When QinetiQ finally caught on in 2010 and hired two outside firms
to help combat the hackers. It was soon revealed that Comment Crew
had established near permanent residence in the company’s
computers.

The firms also discovered that the hackers had walked away with
information on microchips that control the company’s robots.

The chip architecture could help China test ways to take over or
defeat US robots or aerial drones, said Noel Sharkey, a drones and
robotics expert at Britain’s Sheffield University.

The hackers also targeted at least 17 employees working on the
Condition Based Maintenance program, which collects data on Apache
and Blackhawk helicopters deployed around the world.

Thus far, there has been no word from the State Department
regarding Comment Crew’s hacks into QinetiQ systems. Washington has
the power to revoke the company’s charter to handle military
technology if it finds negligence.

However, it appears the US government is doing just the opposite.
In May 2012, QinetiQ received a $4.7 million cybersecurity contract
from the US Transportation Department.